From 8def4d03c3a9a6b47706428a53741638523efed2 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Thu, 21 Jan 2010 20:17:25 -0800 Subject: [PATCH] Document LOAD_HELPERS_ONLY=Yes Signed-off-by: Tom Eastep --- Shorewall/changelog.txt | 2 ++ Shorewall/releasenotes.txt | 24 ++++++++++++++++++++++++ 2 files changed, 26 insertions(+) diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index a817e3d9b..7edbfd956 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -8,6 +8,8 @@ Changes in Shorewall 4.4.7 4) Add TC_PRIOMAP to shorewall*.conf +5) Implement LOAD_HELPERS_ONLY + Changes in Shorewall 4.4.6 1) Fix for rp_filter and kernel 2.6.31. diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index bb79b0253..5dd4c4624 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -259,6 +259,30 @@ None. 5) Support for TPROXY has been added. See http://www.shorewall.net/Shorewall_Squid_Usage.html#TPROXY. +6) Traditionally, Shorewall has loaded all modules that could possibly + be needed twice; once in the compiler, and once when the generated + script is initialized. The latter can be a time-consuming process + on slow hardware. + + Beginning with 4.4.7, there is a LOAD_HELPERS_ONLY option in + shorewall.conf. For existing users, LOAD_HELPERS_ONLY=No is the + default. + + For new users that employ the sample configurations, + LOAD_HELPERS_ONLY=Yes will be the default. That setting causes only + a small subset of modules to be loaded; it is assumed that the + remaining modules will be autoloaded. + + Modules loaded when LOAD_HELPERS_ONLY=Yes are: + + - Protocol helpers. These cannot be autoloaded. + - Traffic shaping modules. + + In addition, the nf_conntrack_sip module is loaded with + sip_direct_media=0. This setting is slightly less secure than + sip_direct_media=1, but it solves many VOIP problems that users + routinely encounter. + ---------------------------------------------------------------------------- P R O B L E M S C O R R E C T E D I N 4 . 4 . 6 ----------------------------------------------------------------------------